Question: We are using Remote Desktop in Windows Server 2003 for Windows server management. The current configuration of the application server allows all Remote Desktop users full control of the server, its files and its data. We want to limit the users' rights by removing their access to Windows Explorer and the DOS command prompt, but when they try to save a report setup within the application, they cannot browse the folders. How can we fix this?
- Posed by a SearchWindowsSecurity.com reader.
Brad Dinerman's answer: The solution to this problem depends on the nature of the application that your Remote Desktop end users are running. If you create shares on the folders that contain the
data and then map drive letters to them, the application may allow you to configure it to automatically open/save from that drive letter, bypassing the use of Windows Explorer.
Alternatively, you can configure a startup application in the Terminal Services Configuration administrative console.
- Start the console and select the Connections node in the left pane.
- In the right pane, double-click RDP-TCP to open its Properties sheet.
- Select the Environment tab, and then click the third radio button, "Start the Following Program When The User Logs On."
- Enter the full path to the program in the Program Path and File Name field, such as C:\Program Files\Microsoft Office\OFFICE11\winword.exe, and enter just the part in the Start In field, such as C:\Program Files\Microsoft Office\OFFICE11.
- Click OK to save your changes.
The next time a user logs on to that Terminal (application) Server, he will see only the application that you've specified and will not be able to navigate around the server outside of that application.
